Initial source code release for Intel GPU base operator

Enables deployment of GPU Device Plugin or GPU DRA driver, and XPU Manager
via a ClusterPolicy CR. The operator can also expose GPU metrics to
Prometheus, configure NFD rules for targeted deployment, and deploy
Kueue queues for advanced scheduling.

GPUFirmwareUpdate CR can be used to update firmware on GPU devices.

Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
Signed-off-by: Patrik Flykt <patrik.flykt@intel.com>

Author: tkatila

.github/workflows/build-push-common.yaml

@@ -0,0 +1,61 @@
+name: build and push common
+on:
+  workflow_call:
+    inputs:
+      runner:
+        required: true
+        type: string
+
+permissions:
+  pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
+  contents: read
+  packages: write
+
+env:
+  REGISTRY: ${{ vars.REGISTRY }}
+  PROJECT: ${{ vars.PROJECT }}
+
+jobs:
+  push:
+    name: Publish Operator image
+    runs-on: ${{ inputs.runner }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          clean: true
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
+        with:
+          go-version-file: go.mod
+          check-latest: true
+          cache: false
+      - name: Generate tag
+        id: gentag
+        run: |
+          TAG=$(sed -n 's/^TAG ?= \(.*\)/\1/p' Makefile)
+          echo "TAG=$TAG" >> $GITHUB_OUTPUT
+      - run: make docker-build
+      - name: Log in to GitHub Container Registry
+        if: inputs.runner != 'self-hosted'
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Push to GitHub Container Registry
+        run: |
+          docker tag intel/intel-gpu-base-operator:${{ steps.gentag.outputs.TAG }} ${REGISTRY}/${PROJECT}/intel-gpu-base-operator:${{ steps.gentag.outputs.TAG }}
+          docker push ${REGISTRY}/${PROJECT}/intel-gpu-base-operator:${{ steps.gentag.outputs.TAG }}
+      - name: Get image digest
+        if: ${{ steps.gentag.outputs.TAG != 'devel' }}
+        id: digest
+        run: |
+          echo "image_sha=$(docker inspect --format='{{index .RepoDigests 0}}' ${REGISTRY}/${PROJECT}/intel-gpu-base-operator:${{ steps.gentag.outputs.TAG }})" >> $GITHUB_OUTPUT
+      # TODO: remove "false &&" when the repository is made public
+      - name: Install cosign
+        if: ${{ false && steps.gentag.outputs.TAG != 'devel' }}
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 #v4.1.1
+      - name: Keyless image sign
+        if: ${{ false && steps.gentag.outputs.TAG != 'devel' }}
+        run: |
+          cosign sign --yes ${{ steps.digest.outputs.image_sha }}
+

.github/workflows/build-push-public.yaml

@@ -0,0 +1,22 @@
+name: Build and Push (public)
+on:
+  push:
+    branches:
+      - 'main'
+    tags:
+      - 'v*'
+
+  workflow_dispatch:
+
+permissions:
+  pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
+  contents: read
+  packages: write
+
+jobs:
+  push:
+    name: Publish Operator image
+    uses: "./.github/workflows/build-push-common.yaml"
+    with:
+      runner: ubuntu-latest
+    secrets: inherit

.github/workflows/build-push-self-hosted.yaml

@@ -0,0 +1,22 @@
+name: Build and Push (self-hosted)
+on:
+  push:
+    branches:
+      - 'main'
+    tags:
+      - 'v*'
+
+  workflow_dispatch:
+
+permissions:
+  pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
+  contents: read
+  packages: write
+
+jobs:
+  push:
+    name: Publish Operator image
+    uses: "./.github/workflows/build-push-common.yaml"
+    with:
+      runner: self-hosted
+    secrets: inherit

.github/workflows/helm-publish.yaml

@@ -0,0 +1,45 @@
+name: Package and upload helm
+
+on:
+  workflow_dispatch:
+    inputs:
+      runner:
+        default: "self-hosted"
+        required: false
+        type: string
+
+permissions:
+  contents: read
+
+env:
+  REGISTRY: ${{ vars.REGISTRY }}
+  PROJECT: ${{ vars.PROJECT }}
+  RELEASE_REGISTRY: ${{ vars.REGISTRY }}/${{ vars.PROJECT }}
+
+jobs:
+  push-helm-charts:
+    runs-on: ${{ inputs.runner }}
+    permissions:
+      packages: write
+      contents: read
+
+    steps:
+      - name: Git checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+
+      - uses: azure/setup-helm@v4.3.0
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        if: inputs.runner != 'self-hosted'
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push packaged Helm chart
+        run: make helm-push-chart
+
+      - name: Push packaged Helm policy chart
+        run: make helm-push-policy-chart

.github/workflows/validate-common.yaml

@@ -0,0 +1,199 @@
+name: validation common
+on:
+  workflow_call:
+    inputs:
+      runner:
+        required: true
+        type: string
+
+permissions:
+  pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
+  contents: read
+
+env:
+  isubuntu: ${{ startsWith (inputs.runner, 'ubuntu') }}
+
+jobs:
+  generated:
+    name: Check generated files are in sync
+    runs-on: ${{ inputs.runner }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          clean: true
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
+        with:
+          go-version-file: go.mod
+          check-latest: true
+          cache: false
+      - run: |
+          make check-generated-files
+  golangci:
+    name: Run lint
+    runs-on: ${{ inputs.runner }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          clean: true
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
+        with:
+          go-version-file: go.mod
+          check-latest: true
+          cache: false
+      - run: |
+          make lint
+  build:
+    name: Build all
+    runs-on: ${{ inputs.runner }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          clean: true
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
+        with:
+          go-version-file: go.mod
+          check-latest: true
+          cache: false
+      - run: make build
+      - run: make docker-build
+      - name: Run Trivy for operator image (json)
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+        with:
+          scan-type: image
+          scan-ref: intel/intel-gpu-base-operator:devel
+          format: json
+          trivy-config: trivy.yaml
+          exit-code: 1
+          output: operator-image-vulnerabilities.json
+      - name: Run Trivy for go.mod (json)
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+        with:
+          scan-type: fs
+          scan-ref: go.mod
+          format: json
+          trivy-config: trivy.yaml
+          exit-code: 1
+          output: go.mod-vulnerabilities.json
+          list-all-pkgs: true
+      - run: |
+          cp .trivyignore.yaml trivyignore.yaml
+      - name: Store image reports as artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: trivy-vulnerabilities
+          path: |
+            trivyignore.yaml
+            operator-image-vulnerabilities.json
+            go.mod-vulnerabilities.json
+          retention-days: 14
+
+  tests:
+    name: Run tests
+    runs-on: ${{ inputs.runner }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          clean: true
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
+        with:
+          go-version-file: go.mod
+          check-latest: true
+          cache: false
+      - name: Run tests
+        run: |
+          make envtest
+          make test
+  goverify:
+    name: Run golang verify
+    runs-on: ${{ inputs.runner }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          clean: true
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
+        with:
+          go-version-file: go.mod
+          check-latest: true
+          cache: false
+      - name: Run golang mod verify
+        run: |
+          go mod verify
+
+  trivy_dockerfiles:
+    name: Run trivy dockerfile
+    runs-on: ${{ inputs.runner }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          clean: true
+      - name: Run Trivy for dockerfiles
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+        with:
+          scan-type: config
+          scan-ref: build/
+          format: table
+          trivy-config: trivy.yaml
+          exit-code: 1
+          severity: CRITICAL,HIGH,MEDIUM
+
+      - name: Run Trivy for dockerfiles (json)
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+        if: always()
+        with:
+          scan-type: config
+          scan-ref: build/
+          format: json
+          trivy-config: trivy.yaml
+          exit-code: 1
+          severity: CRITICAL,HIGH,MEDIUM
+          output: trivy-dockerfiles.json
+      - run: |
+          cp .trivyignore.yaml trivyignore.yaml
+      - name: Store dockerfile analysis report as artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: always()
+        with:
+          name: trivy-dockerfiles-json
+          path: |
+            trivy-dockerfiles.json
+            trivyignore.yaml
+          retention-days: 14
+
+  trivy_deployments:
+    name: Run trivy deployments
+    runs-on: ${{ inputs.runner }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          clean: true
+      - name: Run Trivy for deployments
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+        with:
+          scan-type: config
+          scan-ref: config/deployments
+          format: table
+          trivy-config: trivy.yaml
+          exit-code: 1
+          severity: CRITICAL,HIGH,MEDIUM
+      - name: Run Trivy for deployments (json)
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+        if: always()
+        with:
+          scan-type: config
+          scan-ref: config/deployments
+          format: json
+          trivy-config: trivy.yaml
+          exit-code: 1
+          severity: CRITICAL,HIGH,MEDIUM
+          output: trivy-deployments.json
+      - run: |
+          cp .trivyignore.yaml trivyignore.yaml
+      - name: Store vulnerability report as artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: always()
+        with:
+          name: trivy-deployments-json
+          path: |
+            trivy-deployments.json
+            trivyignore.yaml
+          retention-days: 14